This Week's Attitude

VA Theft Came After Security Vulnerability Warning

By Neil S. Friedman

"Can you imagine what access to 26 million names -with which to steal identities and commit who knows how much thievery - would be worth to hi-tech criminals?"Is this any way to run a government? You'd think almost five years after the terrorist attacks on our soil and with sophisticated electronic hackers having the capability for mass identity theft, the federal government would have the ultimate security system in place for every agency.

But, that doesn't seem to be the case, as we recently learned when the Veterans Administration revealed that without authorization an employee took home a computer disc containing gigabytes of vital data, including all-important Social Security numbers and dates of birth, on 26.5 million veterans.

One encouraging aspect - if any - is that the pilfered data did not include health records or financial information. However, with a Social Security number any individual's electronic life is susceptible to theft, as law enforcement agencies and other government bureaus have cautioned for years. Meanwhile, veterans have been warned to keep a watchful eye on their financial records.

Officials said it is possible the perpetrators have yet to determine the significance of the information they have or how to use it. Nevertheless, the VA said it is taking every precaution to protect and inform veterans discharged from the mid-1970's onward.

Until a thorough investigation is complete, it won't be determined what discipline the data analyst faces, but there's something fishy because no sooner was the disc at his house than it was burglarized, reportedly for the first time - ever! The employee, whose name has not yet been divulged, has been on administrative leave pending an investigation. Don't wanna get too Oliver Stone-conspiratorial here, but it just seems too much of a coincidence.

But, twist of fate or not, investigators must determine why the VA employee took the data home and how it could have happened. It seems logical that that much information should be kept as secure as the nation's defense strategies and IRS records. But maybe, just maybe, until now, bureaucratic complacency left the information vulnerable. Now that the proverbial barn door has been left open every federal agency should be required to review its security policies and monitor employees more closely.

After all, if the security-conscious Bush Administration and National Security Agency deems it important enough to keep tabs on 100 million citizens' phone calls for possible terrorist links, then perhaps federal employees, in the wake of the VA fiasco, should be kept under similar surveillance to reassure citizens that the information the government has on them is secure.

It's difficult, at this time, to speculate what the VA data analyst's motive was, but his action tends to lean towards him being a data terrorist in league with a den of ID thieves that can ruin countless lives.

Can you imagine what access to more than 26 million names - with which to steal identities and commit who knows how much thievery - would be worth to hi-tech criminals?

As the House Veterans Affairs Committee chairman Steve Buyer said at a recent hearing, "We have a meltdown in VA's information management...that has resulted in a catastrophic failure to safeguard sensitive personal data."

One security company executive testified that it is difficult to "secure something that you can't manage."

A VA employee who testified at the hearing said it was "complex bureaucracy that doesn't communicate well."

In the first place, I presumed it was SOP (standard operating procedure) that government agencies don't communicate well. (Does FEMA/Hurricane Katrina debacle ring a bell? Or the longstanding FBI/CIA rivalry?). On the other hand, isn't the phrase "complex bureaucracy" an oxymoron?

Last fall, the VA's Inspector General reported, "(The VA) has not been able to effectively address its significant information security vulnerabilities..."

When that red flag went up, it should have been the VA's wake-up call to make essential security changes. But, in typical bureaucratic fashion, the cautionary sign was ignored until its security was breached.

What puzzles me is why every single member of the House and Senate isn't screaming how outrageous this is and demanding an immediate shakeup at the VA. This is a perfect opportunity for political grandstanding!

Heck, if this were a state or local issue, you know State Senator Carl Kruger, whose a member of the Veterans Affairs Committee, would have insisted on an immediate inquiry and held a press conference at some local veterans memorial to spotlight his cause.

The few times I've dealt with the VA since my discharge - during the Vietnam War - have been a nightmare of red tape and bureaucratic bungling. I expected nothing more from a bloated bureaucracy.

But this latest fiasco is the perfect example of a government agency's penchant for negligence and incompetence. If one single veteran suffers any financial or other loss that can be traced to the theft of the VA data, the federal government should be held accountable and responsible for making equitable compensation.

Knowing the government's classic snail's pace for practical solutions, perhaps the problem at the VA can be rectified in time for Veterans Day - but not necessarily this year or the next or the one after that...